ASA5510 with VPN and hairpinning

Unanswered Question
Aug 1st, 2008

I have an ASA5510 I want to place in my network for firewalling and VPN purposes. It is replacing the Cisco 2821 router using the VPN and firewall modules.

I would like to "hairpin" VPN users and restrict them to a subset of my outside IP addresses; i.e. they connect to the outside port on 64.244.xx.2 /25 (split tunneling is disabled), but to the outside world they then have an outside IP address of 64.244.xx.96-.126.

Is this possible and can I also allow them access into my internal network at the same time?

Or should I set up separate VPN groups; one that gets internal access and an internal IP or 192.168.252.0 /24, and one that is hairpinned out to the Internet using routeable IPs?

What is the best way to do this? I have been going through every option under the ASDM, but to no avail. I can provide my current config if needed.

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Fri, 08/01/2008 - 17:21

Hairpinning is no problem, should be your solution. Assuming vpn client subnet pool is 192.168.100.0/24.

same-security-traffic permit intra-interface

global (outside) 10 64.244.xx.96-64.244.xx.126

nat (outside) 10 192.168.100.0 255.255.255.0

Then configure your vpn access to inside as usual.

access-list nat0 extended permit ip any 192.168.100.0 255.255.255.0

nat (inside) 0 access-list nat0

Also be sure to disable split tunnel.

kerryjcox Fri, 08/01/2008 - 18:16

Excellent. I will be configuring this tomorrow for all the employees. I'll give your recommendations a go. Sounds like a valid solution. Will let you know the outcome.

Much appreciated.

kerryjcox Sat, 08/02/2008 - 21:16

Thanks much. I attempted to place the 5510 in front of my 2821 late this evening and had no luck getting any sort of Internet connection out. Something must be foobar with my new config. Was not even able to attempt a hairpin VPN connection as Internet connectivity was down.

Am attaching configs for both the 2821 and the 5510 along with my proposed changes.

Maybe someone can see what I was doing wrong.

acomiskey Sun, 08/03/2008 - 12:19

I think you're missing a route on your 5510.

route inside 192.168.252.0 255.255.255.0 172.17.10.2

kerryjcox Sun, 08/03/2008 - 13:48

That makes sense. I've been looking over both configs and that looks right.

I'll give it another shot tomorrow evening.

I am attaching a copy of the Visio diagram showing how I would like it to be.

Your comments are much appreciated. Thanks for the clarification.

acomiskey Sun, 08/03/2008 - 16:50

You also are missing something like this...

global (outside) 1 interface

nat (inside) 1 0 0

kerryjcox Mon, 08/04/2008 - 14:08

Adding this route to the 5510 yields this error:

firewall(config)#route inside 192.168.252.0 255.255.255.0 172.17.10.2

ERROR: Cannot add route, connected route exists

All the routes appear to be good and I do not see what the issue can be.

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) esva.external esva.internal netmask 255.255.255.255

static (inside,outside) mediamail.external mediamail.internal netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 64.244.87.1 1

Thanks.

kerryjcox Tue, 08/05/2008 - 07:17

I also made some changes to my ASA5510 last night that I was hopeful would work.

Here is the current ASA5510 config with the proper routes and NAT'ing. Again, it's IP is 192.168.252.10 as the management IP.

Users were still NOT able to get out to the Internet.

I did a "sho ip routes" on both the 2821 and the 5510 when they were in-line and though they could talk to each other and the routing tables looked good, I could not get out on the Internet.

Here are the commands I issued to the 2821 after I placed the 5510 in-line.

conf t

interface GigabitEthernet0/0

no ip address 64.244.87.2 255.255.255.128

ip address 172.17.10.2 255.255.255.252

no ip route 0.0.0.0 0.0.0.0 64.244.87.1 name XO-ROUTER

ip route 0.0.0.0 0.0.0.0 172.17.10.1 name ASA5510

no ip nat source static 192.168.252.10 64.244.87.10

acomiskey Tue, 08/05/2008 - 07:30

Fix your mask if it is /25.

interface Ethernet0/0

description Outside interface

nameif outside

security-level 0

ip address 64.244.87.2 255.255.255.128

Second, your nat (inside) should reflect internal network you wish to nat, not the external vpn network.

global (outside) 1 interface

global (outside) 10 64.244.87.96-64.244.87.126

nat (inside) 1 0 0

nat (outside) 10 172.18.10.0 255.255.255.192

kerryjcox Tue, 08/05/2008 - 08:16

Dang. You're right....

I guess being the only person in the office who does Cisco is a distinct disadvantage. It helps to have some extra eyes take a look.

I'll make these changes and let you know how it goes.

Thanks much.

Actions

This Discussion